Learn the active and passive aspects of PHP language process control

What are active and passive in PHP language process control? Let’s take an example. If you go to your boss’s office and ask for a salary increase, this is initiative. Whether from your own perspective or from the boss’s perspective, you are proactive and positive. If the boss asks You go to the office, and then you are asked to structure Taobao and give you a 20% salary increase. This is called passive. I believe that you will be passive if you promise. Active and passive are simply understood in this way. And you will also encounter such embarrassment in the program process. Active vs passive question. Let’s look at an example.

A clier When buy qq successfully purchases goods, it notifies the QQ main server. Through the http protocol. file_get_contents('http://www.qq.com/api.php?add_saleinfo=buy_qq&orderid=12345&pay=888&email=a@qq.com');

The code runs on buy.qq.com, which seems to be safe, but what about the reality? If someone distributes this interface, the consequences will be immeasurable. Anyone can forge order information and implant it into qq.com. No matter what How do you restrict sources and check data? Taking a step back, the person who writes the code is the most dangerous. Then everyone will ask, since the person who wrote the code has great authority, how can it be prevented? This needs to be done passively. (qq.com) becomes active. http://www.qq.com/api.php?add_saleinfo=buy_qq is modified to no longer receive any order information. Instead, it will receive the token value. After receiving the token value, the interface calls back buy. The query interface of qq is then stored in the database. Ordinary users can no longer create token values. Even if they know the query interface of buy.qq, it cannot affect qq.com. As the main body, qq.com is basically proactive and will not We are always confused about warehousing, but proactively analyze and think about warehousing.

The same principle applies. Taobao players also have this problem. For example, some browsers that were exposed in the past modified the pid value in the web page, causing heavy losses to users. This is a passive result. PHP is written like this, PHP requests the Taobao API interface and receives When you go to the product information, there is a purchase link for the product. It is this purchase link that makes the webmaster passive. Users who directly href this link on the page may be collected by others and have their pid modified by the browser. Next, you Yes, you know, pid represents money. Someone has thought about this problem later, and adopted a passive and proactive approach to prevent bugs. That is, the product link is not displayed directly, but modified through a PHP. The URL that the user sees is similar to: www.qq.com/tao/buy.php?sid=aaaa333 The sid is definitely not the pid value. All work is carried out by buy.php, which actively undertakes analysis and security testing.

QQ Internet 2.0 has been widely used on Internet sites. How does graph.qq.com, as the main center of user data, ensure user security? It must also improve security while ensuring access speed. The current process of QQ login is as follows: First The appid appkey callbackurl is combined into a string of links, and then jumps to qq.com. This is why many sites can jump to the qq login page by directly accessing qqlogin.php, because these parameters are fixed and the security is pretty good. The login process is still at qq.com, which is the single sign-on that PHP often talks about. After successful login, it will jump directly to the callbackurl page. The information obtained by callbackurl at this time is still not enough to prove that the user has successfully logged in, only the token value is obtained. , so enter the second step, use the token value to query the user openid on the QQ API interface, and complete the login. In this way, QQ has to take the initiative. The query result is not simply whether it is successful or not, but the corresponding parameters and prompt information, regardless of the later stage. No matter how you add it, it will be compatible. Tencent has the initiative, which is very important for companies with hundreds of millions of users. Internal security also includes determining the correspondence between domain names and appids, token expiration checks, and IP restrictions. From a technical perspective, Tencent There is.

There are many such examples, including PayPal and Alipay, which are all similar.